Fwd: (RADIATOR) Username/Password hacking while using AuthBy SQL

Rodrigo Nuno Bragança da Cunha rodrigo.cunha at corp.vodafone.pt
Wed Dec 10 06:15:16 CST 2003


Oh, I didn't saw that, thanks! Mea culpa.

Ok, half the problem solved :-)

How about the password?... since in order to support various valid 
sessions for the same username the password must be part of the search 
query, right? Without the password the query might return multiple 
lines, and Radiator will only look in the first, or is there something 
I'm not seeing here?

Hugh Irvine wrote:

>
> Hello Rodrigo -
>
> As Mike says below, you can use %4 for the quoted username instead of 
> %U in your AuthLog.
>
> regards
>
> Hugh
>
>
> Begin forwarded message:
>
>> From: Mike McCauley <mikem at open.com.au>
>> Date: 10 December 2003 11:34:46 AM
>> To: Hugh Irvine <hugh at open.com.au>
>> Subject: Re: Fwd: (RADIATOR) Username/Password hacking while using 
>> AuthBy SQL
>>
>> Hi Hugh,
>>
>>
>> On Wed, 10 Dec 2003 10:12 am, Hugh Irvine wrote:
>>
>>> Morning Mikey -
>>>
>>> Here is a further query regarding malicious characters in usernames and
>>> passwords affecting SQL logging.
>>
>>
>>
>> in Log SQL, the SQL _quoted_ user name is available as %4. So if you 
>> use %4, I
>> would see no probs with username.
>>
>> Cheers.
>>
>>>
>>> cheers
>>>
>>> Hugh
>>>
>>> Begin forwarded message:
>>>
>>>> From: Rodrigo Nuno Bragança da Cunha <rodrigo.cunha at corp.vodafone.pt>
>>>> Date: 9 December 2003 11:24:48 PM
>>>> To: radiator at open.com.au
>>>> Subject: Re: (RADIATOR) Username/Password hacking while using AuthBy
>>>> SQL
>>>>
>>>> Hugh Irvine wrote:
>>>>
>>>>> Hello Rodrigo -
>>>>>
>>>>> You can use the UsernameCharset parameter to restrict the characters
>>>>> in the username.
>>>>>
>>>>> See section 6.4.30 in the Radiator 3.7.1 reference manual.
>>>>>
>>>>> As far as the password is concerned, this field is only read from the
>>>>> database and the comparison is done inside Radiator.
>>>>
>>>>
>>>> Well... it works, but is not enought. Won't work for SQL logging, for
>>>> instance.
>>>>
>>>> Also I need the password in the SQL query itself because there can be
>>>> various active and valid sessions for the same username, and a query
>>>> without password might return many valid sessions. So the password is
>>>> exploitable also. Perhaps a "PasswordCharset" clause would work :-)
>>>>
>>>> The Charset should apply to auth logging also, right?
>>>>
>>>> I'm sending the configuration file. It works fine as is, except with
>>>> malicious username/passwords ...
>>>>
>>>>> NB: have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>>
>>>> Here goes the trace, including the SQL syntax errors, witch could be
>>>> exploited.
>>>>
>>>> Thanks for the help!
>>>>
>>>> Tue Dec  9 12:08:22 2003: DEBUG: Finished reading configuration file
>>>> '/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
>>>> Tue Dec  9 12:08:22 2003: DEBUG: Reading dictionary file
>>>> '/home/radius/Radiator-3.7.1/dictionary'
>>>> Tue Dec  9 12:08:22 2003: DEBUG: Creating authentication port
>>>> 0.0.0.0:1645
>>>> Tue Dec  9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646
>>>> Tue Dec  9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on
>>>> radius-vpn.vf-pt.internal.vodafone.com
>>>> Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
>>>> *** Received from 127.0.0.1 port 32784 ....
>>>> Code:       Access-Request
>>>> Identifier: 10
>>>> Authentic:  1234567890123456
>>>> Attributes:
>>>>        User-Name = "norte'gregwe"
>>>>        Service-Type = Framed-User
>>>>        NAS-IP-Address = 203.63.154.1
>>>>        NAS-Port = 1234
>>>>        Called-Station-Id = "123456789"
>>>>        Calling-Station-Id = "987654321"
>>>>        NAS-Port-Type = Async
>>>>        User-Password =
>>>> "<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"
>>>>
>>>> Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Tue Dec  9 12:08:25 2003: INFO: Access rejected for norte'gregwe:
>>>> Invalid character in User-Name
>>>> Tue Dec  9 12:08:25 2003: DEBUG: do query is: 'INSERT   INTO
>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>> Failure for username norte'gregwe' )':
>>>>
>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>> Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO
>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>> Failure for username norte'gregwe' )': You have an error in your SQL
>>>> syntax near 'gregwe' )' at line 1
>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>> Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO
>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>> Failure for username norte'gregwe' )': You have an error in your SQL
>>>> syntax near 'gregwe' )' at line 1
>>>> Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
>>>> *** Sending to 127.0.0.1 port 32784 ....
>>>> Code:       Access-Reject
>>>> Identifier: 10
>>>> Authentic:  1234567890123456
>>>> Attributes:
>>>>        Reply-Message = "Request Denied"
>>>>
>>>> Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
>>>> *** Received from 127.0.0.1 port 32784 ....
>>>> Code:       Accounting-Request
>>>> Identifier: 11
>>>> Authentic:  <201>T'<190><194><144><135>CW(<239><150>=~*m
>>>> Attributes:
>>>>        User-Name = "norte'gregwe"
>>>>        Service-Type = Framed-User
>>>>        NAS-IP-Address = 203.63.154.1
>>>>        NAS-Port = 1234
>>>>        NAS-Port-Type = Async
>>>>        Acct-Session-Id = "00001234"
>>>>        Acct-Status-Type = Start
>>>>        Called-Station-Id = "123456789"
>>>>        Calling-Station-Id = "987654321"
>>>>        Acct-Delay-Time = 0
>>>>
>>>> Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Tue Dec  9 12:08:30 2003: DEBUG: Packet dump:
>>>> *** Received from 127.0.0.1 port 32784 ....
>>>> Code:       Accounting-Request
>>>> Identifier: 12
>>>> Authentic:  u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
>>>> Attributes:
>>>>        User-Name = "norte'gregwe"
>>>>        Service-Type = Framed-User
>>>>        NAS-IP-Address = 203.63.154.1
>>>>        NAS-Port = 1234
>>>>        NAS-Port-Type = Async
>>>>        Acct-Session-Id = "00001234"
>>>>        Acct-Status-Type = Stop
>>>>        Called-Station-Id = "123456789"
>>>>        Calling-Station-Id = "987654321"
>>>>        Acct-Delay-Time = 0
>>>>        Acct-Session-Time = 1000
>>>>        Acct-Input-Octets = 20000
>>>>        Acct-Output-Octets = 30000
>>>>
>>>> Tue Dec  9 12:08:30 2003: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>>
>>>> # vpn3000 suppliers access, prototype configuration
>>>>
>>>> Foreground
>>>> LogStdout
>>>> LogDir        /home/radius/Radiator-3.7.1/logs
>>>> DbDir        /home/radius/Radiator-3.7.1
>>>> # User a lower trace level in production systems:
>>>> Trace         4
>>>>
>>>>
>>>> # One of these for each NAS you want to work with
>>>> <Client DEFAULT>
>>>>     Secret    ***********
>>>>     DupInterval 0
>>>> </Client>
>>>>
>>>> <AuthBy SQL> # {{{ Identifier auth_adsl_sql
>>>>     Identifier  auth_sql_session
>>>>
>>>>     DBSource    dbi:mysql:bd_remote:127.0.0.1
>>>>     DBUsername  **********
>>>>     DBAuth      **********
>>>>
>>>>     NoDefaultIfFound    # nao procura user DEFAULT
>>>>     NoDefault           # (nem que a vaca se tussa toda)
>>>>
>>>>     AuthSelect \
>>>>         SELECT    session.id, session.password \
>>>>     FROM    suppliers, session \
>>>>         LEFT OUTER JOIN accountlog \
>>>>         ON session.id = accountlog.idsession \
>>>>     WHERE    accountlog.idsession IS NULL AND \
>>>>         session.timestamp > unix_timestamp()-1800 AND  \
>>>>         session.idsupplier = suppliers.id AND \
>>>>         suppliers.nickname = '%U' AND \
>>>>         session.password = '%P' ;
>>>>     AuthColumnDef   0,Class, reply
>>>>     AuthColumnDef   1,Password, check
>>>>
>>>>
>>>> #    HandleAcctStatusTypes Start,Stop
>>>>     AcctSQLStatement    INSERT    INTO accountlog \
>>>>                 ( id, idsession, timestamp, authaccountQ, \
>>>>                 authsuccessQ, duration, comments ) \
>>>>                 VALUES \
>>>>                 ( 0, 0%{Class}, unix_timestamp(), 1, 0,\
>>>>                 0%{Acct-Session-Time}, \
>>>>                 '%{Acct-Status-Type} Record for username %U' )
>>>>
>>>> </AuthBy> # }}}
>>>>
>>>> <Realm DEFAULT>
>>>>     PasswordLogFileName    %L/password.log
>>>>     AuthByPolicy    ContinueUntilAccept
>>>>     AuthBy        auth_sql_session
>>>>     UsernameCharset    a-zA-Z0-9
>>>>
>>>>     <AuthLog SQL>
>>>>
>>>>         DBSource    dbi:mysql:bd_remote:127.0.0.1
>>>>         DBUsername  **********
>>>>         DBAuth      **********
>>>>
>>>>         LogSuccess 1
>>>>         LogFailure 1
>>>>
>>>>     SuccessQuery    INSERT    INTO accountlog \
>>>>                 ( id, idsession, timestamp, authaccountQ, \
>>>>                 authsuccessQ, duration, comments ) \
>>>>                 VALUES \
>>>>                 ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 1, \
>>>>                 0, 'Auth Sucess for username %U' );
>>>>
>>>>         FailureQuery    INSERT    INTO accountlog \
>>>>                 ( id, idsession, timestamp, authaccountQ, \
>>>>                 authsuccessQ, duration, comments ) \
>>>>                 VALUES \
>>>>                 ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 0, \
>>>>                 0, 'Auth Failure for username %U' )
>>>>
>>>>     </AuthLog>
>>>>     AcctLogFileName    %D/detail
>>>> </Realm>
>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>
>>
>> -- 
>> Mike McCauley                               mikem at open.com.au
>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
>> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
>> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list